Security & privacy

Securing programmatic access

How API keys, webhooks, and AI connections are scoped and kept in check.

3 min read · Updated June 28, 2026


When you connect Stoatify to your own tools, every path in is scoped and revocable, so automation never becomes a way around your permissions.

The API keys screen in Stoatify: scoped keys with per-object permissions, last-used times, and Rotate and Revoke actions
Scoped API keys, each capped by your own permissions, with rotate and revoke.

API keys

  • Every API key is scoped to specific objects and actions, and capped by your own role: a key can never do more than you can.
  • Keys are stored hashed, shown once, and can be rotated or revoked any time.
  • Keys can't manage other keys (that's session-only), so a leaked key can't mint more.
  • A key gets no owner shortcuts on restricted items; it's held to exactly its granted access.

Webhooks and intake

  • Outbound webhooks and URL imports are guarded against internal-network requests (SSRF), so they can't be aimed at private addresses.
  • Webhook payloads carry event metadata, not document contents.

Good to know

AI assistants connect over MCP with scoped, short-lived, revocable access: they can never see what you can't, and access stops the instant you revoke it.

Tip

Give each integration its own key with the narrowest scope it needs, and rotate on a schedule.

Was this article helpful?

Ready to try it?

Open your vault and put this into practice.

Open app